If lighttpd is started privileged, then SSL/TLS modules need to be
initialized prior to chroot (optional) and prior to dropping privileges
in order to be able to read sensitive files such as private certificates
(thx m4t)
provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.
The manpage for X509_NAME_oneline() says:
The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.
Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
github: closes #63, closes #83
x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693https://github.com/lighttpd/lighttpd1.4/pull/63https://github.com/lighttpd/lighttpd1.4/pull/83
It does seem possible for PROXY protocol subelements to be misaligned
and a message has been sent to HAProxy author of the PROXY protocol.
On most modern processors and operating systems, misaligned access has a
cost, but not the outrageous cost that it historical had on processors
and older operating systems such as on SPARC processors running Solaris
prior to Solaris 11.
ignore client verification error if not enforced
e.g. *not* ssl.verifyclient.enforce = "enable"
github: closes #83
x-ref:
"ignore client verification error if not enforced"
https://github.com/lighttpd/lighttpd1.4/pull/83
(original patch by mackyle)
The ssl.ca-dn-file option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.
It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.
Signed-off-by: Kyle J. McKay mackyle@gmail.com
github: closes #64
x-ref:
"add support for ssl.cadn-file"
https://redmine.lighttpd.net/issues/2694https://github.com/lighttpd/lighttpd1.4/pull/64
autotools now use AC_PROG_CC_STDC macro instead of -std=gnu99.
The default in current modern gcc compilers is -std=gnu11
(Note: src/CMakeLists.txt and SConstruct still specify -std=gnu99)
silence compiler warnings if HAVE_FORK is not set
However, if HAVE_FORK is not set, then -Werror was probably passed to
./configure, which is currently a mistake. lighttpd can successfully
compiles src/ with -Werror on many platforms, but ./configure tests
should not be run with -Werror. [gstrauss]
github: closes #81
x-ref:
"Fix warnings"
https://github.com/lighttpd/lighttpd1.4/pull/81
median webpage in today's day and age contains 75-100 requests per page
so increasing the default server.max-keep-alive-requests in lighttpd
from 16 is more than warranted
x-ref:
"set server.max-keep-alive-requests = 100"
https://redmine.lighttpd.net/issues/2205
define MSG_DONTWAIT and MSG_NOSIGNAL to be no-ops on platforms
without support. (fd should already be configured O_NONBLOCK
and SIGPIPE signal is configured to be ignored)
(thx avij and wardw)
fix crash for invalid syntax in config file for server.modules
x-ref:
"Missing array entry type check in config_insert (configfile.c), SIGSEGV"
https://redmine.lighttpd.net/issues/2810
- lemon never calls the destructor for variables on the RHS, make sure
to manually clean up
- outside `if (ctx->ok) { }` always check for NULL pointers, i.e:
- if (x) x->free(x)
- buffer_free and array_free check for NULL on their own
- cleanup RHS variables below `if (ctx->ok) { }` at the bottom
- set variables to NULL before if ownership gets passed on
- move some buffers instead of copying them
x-ref:
"Memory corruption in yy_reduce (configparser.y), SIGSEGV"
https://redmine.lighttpd.net/issues/2809
Use same funcs as other dynamic handlers to recv data from backend.
Add hook for fastcgi to process FastCGI packets (and other future
dynamic handlers may hook this in order to handle custom data framing)
Provide a simple mechanism for mapping host and urlpath header strings
in proxied request and response well-known headers. This *is not*
intended as a one-size-fits-all, infinitely extensible, regex rewriting
engine. Instead, the proxy.header directive aims to provide built-in
functionality in mod_proxy for a few common use cases by performing
simple host matching or urlpath prefix matching, and using the
mapping of the first match. More complex use cases could possibly be
handled by a custom lighttpd module (which does not currently exist).
Note: the contents of the HTTP request-line and HTTP headers may or
may not be in normalized canonical forms, which may or may not influence
the simple matching performed. Admins should take care to provide safe
defaults (fail closed) if mapping is expected to occur and blindly
passing non-mapped requests is undesirable.
proxy.header = (
#"map-host-request" => (
#"-" => "...",#replace provided given Host request authority
#"..." => "-",#preserve existing authority (no further matching)
#"..." => "", #preserve existing authority (no further matching)
# #(equivalent to "xxx" => "xxx")
#"xxx" => "yyy", #map one string ("xxx") to another ("yyy")
#),
#"map-host-response" => (
#"-" => "...",#replace authority used in backend request
#"..." => "-",#replace with original authority
#"..." => "", #preserve existing authority (no further matching)
# #(equivalent to "xxx" => "xxx")
#"xxx" => "yyy", #map one string ("xxx") to another ("yyy")
#),
#"map-urlpath" => (
#"/xxx" => "/yyy",#map one urlpath prefix to another
#"/xxx/" => "/", #map one urlpath prefix to another
#"/xxx" => "", #map one urlpath prefix to another
#"/key" => "/value",
# Note: request headers have matching "key" prefix replaced with
# "value", and response headers have matching "value" prefix
# replaced with "key", with a pre-test of the "value" from the
# first-matched "key" in request headers (if there was a match)
#),
#"https-remap" => "enable",
# For https requests from client, map https:// to http://
# when map-host-request matches URI in request, and map http://
# to https:// when map-host-response matches URI in response.
# (mod_proxy currently sends all backend requests as http)
)
x-ref:
"feature to remove part of the URI when passing along requests..."
https://redmine.lighttpd.net/issues/152
flag high precision ts for %T after parsing %{xxx}T config
x-ref:
"%D and %{UNIT}T of mod_accesslog do not work as expected"
https://redmine.lighttpd.net/issues/2807
This patch fixes the build issue introduced with when code has been
shared in commit a448886485.
http-header-glue.c: In function 'http_cgi_headers':
http-header-glue.c:1555:39: error: 'b2' undeclared (first use in this function)
http-header-glue.c:1555:39: note: each undeclared identifier is reported only once for each function it appears in
github: closes #79
shared code to get mimetype string via longest extension match
(attempts to match file basename, then longest ext, then "")
Note: this is a behavior change from simple suffix match
if there are 16 or more entries in mimetypes.assign
To enable "Forwarded", must enable which params to include.
The recommended set is "for" and "proto" unless other params
are required and proper security precautions have been taken.
proxy.forwarded = ( "for" => 1,
"proto" => 1,
#"host" => 1,
#"by" => 1,
#"remote_user" => 1,
)
See https://tools.ietf.org/html/rfc7239 for info about "Forwarded"
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
Gaël PORTAY
